Description

In Development IL ecdh before 0.2.0, an attacker can send an invalid point (not on the curve) as the public key, and obtain the derived shared secret.

Remediation

References

https://github.com/developmentil/ecdh/issues/3

Related Vulnerabilities

CVE-2022-25860 Vulnerability in maven package org.webjars.npm:simple-git

CVE-2018-16491 Vulnerability in npm package node.extend

CVE-2020-28458 Vulnerability in npm package datatables.net

CVE-2019-10793 Vulnerability in npm package dot-object

CVE-2020-28168 Vulnerability in npm package axios

Severity

High

Classification

CWE-668 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Exploit Issue Tracking